For the complete documentation index, see llms.txt. This page is also available as Markdown.

Manage Policy Groups

This guide walks you through creating a Policy Group, adding policies to define tool access rules, attaching the group to an MCP Gateway, and deleting groups when no longer needed.


Prerequisites

  • A GreenNode account with role Root or Admin (Member and Viewer have read-only access)

  • At least 1 MCP Gateway created to attach the Policy Group to


Create a Policy Group

Step 1: Open the Policy Groups page

  1. Select AgentBase in the left menu

  2. Select MCP Governance β†’ Policy Groups

Policy Groups list
  1. Click Create Policy Group

Step 2: Fill in basic information (Step 1)

  1. Enter a Name following these rules:

    • Must start with a letter (a–z, A–Z)

    • Valid characters: letters, digits, underscore _

    • Minimum 5, maximum 50 characters

    • Unique within the organization

    Example name
    Valid?

    PolicyGroup_Prod01

    βœ…

    sales_agent_policy

    βœ…

    myPolicy

    βœ…

    123invalid

    ❌ β€” starts with a digit

    name with space

    ❌ β€” contains a space

    ab

    ❌ β€” fewer than 5 characters

  2. Enter a Description (optional) β€” up to 4096 characters

  3. Click Create Policy Group β†’ the Policy Builder opens


Add Policies (Policy Builder)

After creating the group, the Policy Builder opens (Step 2). You can add up to 20 policies per group.

Step 3: Add a new policy

  1. Click + Add Policy

  2. Enter a Policy name β€” up to 64 characters, unique within the group (e.g., allow-sales-call-tool)

  3. Enter a Policy description (optional)

Step 4: Choose an Effect

Choice
Meaning

ALLOW

Permit the agent to execute the action when the policy matches

DENY

Block the agent from executing the action when the policy matches

Step 5: Choose a Principal

  • All principals (everyone) β€” applies to all agents calling through the gateway

  • Specific principal β€” applies only to a specific user or service account

    When choosing Specific:

    Field
    Value
    Notes

    Type

    iam or jwt

    iam = IAM identity; jwt = JWT Token

    Identifier

    optional

    Leave empty β†’ matches all users of that type; enter an ID β†’ matches exactly 1 user

    Examples:

    • Type jwt, identifier sales-agent-service β†’ serialized as "jwt:sales-agent-service"

    • Type iam, no identifier β†’ serialized as "iam" (matches all IAM users)

    • Type jwt, identifier * β†’ "jwt:*" (valid wildcard β€” matches all JWT users)

Step 6: Choose a Gateway Scope

  • All gateways (*) β€” policy enforces on every gateway attached to this group

  • Specific gateway(s) β€” select a subset from the dropdown (only gateways already attached to this group)

Step 7: Choose an Action

  • All actions (*) β€” applies to all tools/call requests

  • Specific actions β€” enter exact patterns in the format targetName__toolName

    Examples of valid action patterns:

Step 8: Add Conditions (optional)

  1. Enable the Add conditions toggle

  2. Click + Add Condition

  3. Select an Operator, enter a Key and Value

  4. Repeat to add more conditions β€” all must be true (AND logic)


Policy Examples

Example 1 β€” ALLOW all agents to call any tool

Use as a baseline "permit all", combined with more specific DENY policies layered on top.


Example 2 β€” ALLOW only a sales agent to call payment tools

Serialized principal: "jwt:sales-agent-service"

Only agent sales-agent-service with role sales can call chargeCard and getBalance.


Example 3 β€” DENY all requests outside business hours (before 8 AM)

Create a second policy to also block after 5 PM:

Because multiple conditions combine with AND, split into two separate policies β€” one for before 8 AM and one for after 5 PM.


Example 4 β€” ALLOW only internal network traffic

Pair with a DENY-all policy at the bottom to block all external requests:

Because evaluation stops at the first match, allow-internal-only (placed first) permits internal traffic; deny-all-fallback (placed last) blocks everything else.


Step 9: Save

Click Save Changes β†’ the group transitions to Active status and the Policy Group Detail page opens.

Policy Group Detail
Policy Detail within Group

Attach a Policy Group to a Gateway

There are 3 ways to attach a group to a gateway:

Option 1 β€” From Policy Group Detail

  1. Open Policy Group Detail (click the group name from the list)

  2. Select the Associated Gateways tab

  3. Click Associate Gateway

  4. Select a gateway from the dropdown

  5. Click Confirm

Option 2 β€” From the Policy Groups list

  1. Tick the checkbox on the group row

  2. Click Associate Gateway (green outline button on the toolbar)

  3. Select a gateway and click Confirm

Option 3 β€” From MCP Gateway Detail

See Manage MCP Gateway.


Detach a Gateway from a Policy Group

  1. Open Policy Group Detail β†’ Associated Gateways tab

  2. Locate the gateway β†’ click Detach

  3. Confirm in the dialog

After detaching, the gateway has no policy control β€” all tools/call through that gateway will be denied until a new Policy Group is attached.


Delete a Policy Group

  1. Go to Policy Groups

  2. Tick the checkbox on the group row

  3. Click Delete (red button) β†’ review the warning and confirm


Result

After completing these steps, the Policy Group is in Active status and attached to the gateway. Every tools/call through that gateway is evaluated against the group's policies in order β€” first-match wins, DENY by default if no rule matches.

I want to...
Go to

Understand the evaluation flow in detail

Configure an MCP Gateway

Last updated